Synthesis : Scott Becker

Forcing HTTPS on WordPress with Apache

This site lives on a long-lived Dreamhost account, and until a couple months ago, like many older sites, had been happily humming along without SSL setup.

That’s not really a big deal for a public-facing blog site, or so the old thinking went. But since I do login to update content once in a while, it makes sense to get it up to date with current security best practices and not send passwords in the clear, so…

There’s many options on how to do this, and I don’t reach for Dreamhost these days for new web projects, but since it ain’t broke… I went hunting on how to do that on Dreamhost. A couple months ago I did the first half of this project, and figured out how to set up Let’s Encrypt for a website in the Dreamhost admin panel – too easy. Worked right away… But one problem, no redirect of HTTP to HTTPS, so the old insecure site continued to work just fine. Also my custom web font wasn’t rendering correctly.

Then I just forgot all about it, until today. I’m planning to blog here again, so I took a look and fixed the issues.

First, my web font wasn’t rendering because I had a “http://” url referring to the web font, and the browser was refusing to load insecure content. A quick edit of the header php file for my theme to make that a “https://” url fixed that up.

Second, forcing HTTPS. From doing this many times, I know this means redirecting from HTTP to HTTPS. My WordPress site is hosted on Dreamhost and runs within Apache, so I was searching around (much of professional software development is having good internet search skills). First, I searched “wordpress redirect to https” and found “How to Redirect HTTP to HTTPS in WordPress“, which mentions how to do it on Kinsta (a different hosting provider, not applicable), Nginx (not applicable), Apache (applicable!), and via a WordPress plugin (applicable!). Since Apache is lower level than WordPress itself, this is more desirable (can’t get blown away by an update or conflict with other WordPress plugins.) Apache it is, which involves editing a .htaccess file. Then I searched “wordpress dreamhost .htaccess” and found “Force your site to load securely with an .htaccess file” on the Dreamhost knowledge base, which show how to find where on the server file system to find this file for a particular Dreamhost site, and what to put in it – same code as the Kinsta article.

The magical .htaccess incantation?

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Looks like it turns the rewrite engine on, runs a rule if the HTTPS condition is not on, and creates a rule to return a 301 (Moved Permanently) redirect for any request to the https:// equivalent.

Then I remembered I used to have SSH access to Dreamhost set up. Did it still work? Yes, it did! Was the file where the help article said it woud be? It was. Edited it. Tested it with curl:

$ curl -i

HTTP/1.1 301 Moved Permanently
Date: Tue, 14 Jul 2020 05:31:58 GMT
Server: Apache
Cache-Control: max-age=600
Expires: Tue, 14 Jul 2020 05:41:58 GMT
Content-Length: 238
Content-Type: text/html; charset=iso-8859-1

<title>301 Moved Permanently</title>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="">here</a>.</p>


Sidenote – The above is a first go at a new format I’m going to try for a bit. I needed a place to put this writing, and this old dusty blog already existed, so I’m reviving it.

I plan to write about / document something I learned once a day or so (with exceptions for trips, vacations, needed breaks, etc.). It can be the simplest, stupidest thing, as long as I learned anything at all.

I’m going to commit to this for at least one week.


Comments are closed.